The open standards in the Dutch Prevention of Money Laundering and Terrorist Financing Act (Wet ter voorkoming van witwassen en financieren van terrorisme, “Dutch AML Act”) can lead to robust discussions. Authorities, such as the Dutch Central Bank (“DNB”), do not always consider the various possibilities (more particularly by using new technology) in which those open standards can be interpreted and implemented by institutions in accordance with the Dutch AML Act.
This was also the case in the judgement between DNB and bunq B.V. ("bunq"), a financial institution with a banking license in the Netherlands. To comply with the Dutch AML Act bunq uses technologies such as artificial intelligence for its client due diligence and transaction monitoring process. DNB was of the opinion that bunq was violating the Dutch AML Act because using these technologies did not lead to an adequate and compliant client due diligence and transaction monitoring. As a consequence thereof DNB took disciplinary measures against bunq by instructing bunq to follow a line of conduct as determined by DNB.
bunq took the case to court and it was finally presented in appeal to the Dutch Trade and Industry Appeals Tribunal (College van Beroep voor het bedrijfsleven, "CBb"). Although bunq was not favoured on all aspects, CBb did rule in favor of bunq in relation to (amongst others) determining the purpose and intended nature of a business relationship and conducting transaction monitoring, which will be further discussed in this article.
Purpose and intended nature of business relationship
Financial institutions that need to comply with the Dutch AML Act need to determine the purpose and the intended nature of the business relationship of its customers before entering into a business relationship, as stipulated in Article 3(2)(c) jo Article 5(1) Dutch AML Act.
For its retail customers bunq complies with this requirement by determining the purpose and intended nature of the business relationship based on assumptions prior to entering into a business relationship. bunq is able to do so by establishing two segments of retail customers based on an analysis of its data. The first group contains a homogeneous group of customers who fall within the 'regular user profile' and who use its payment account within the 'regular use' limits. bunq assumes that the vast majority of customers behave according to that user profile. This 'regular user profile' was created using data analysis and artificial intelligence and is said to have a low risk of money laundering. On an ongoing basis bunq reviews whether the customer still fits within the ‘regular user profile'. The moment this is not (or no longer) the case, bunq asks questions to the customer in order to determine whether the ‘regular user profile’ is still suitable for the client and will amend this profile if necessary.
DNB is of the opinion that by implementing such a procedure, bunq determines the purpose and nature of the intended relationship only after transaction monitoring has taken place. DNB based this opinion on the fact that no specific information was obtained from the client and therefore an assumption about the purpose and intended nature of the business relationship is made. The CBb rules differently and indicates that the fact that the allocation of a 'standard payment account' is based on a reasoned assumption does not mean that bunq was unable to assess the possible risks involved for a specific customer falling within the 'regular user profile'. The CBb thus does not consider that bunq determines the purpose and intended nature of the business relationship only after entering into the business relationship (after transaction monitoring has taken place). bunq only monitors whether the assigned 'regular user profile' of customers needs adjustment and thus asks additional questions where necessary. According to the CBb this is compliant with the Dutch AML Act as the Act does not prescribe the manner in which the customer due diligence must be carried out. The information bunq has on the client should solely enable bunq to determine the purpose and intended nature of the business relationship in order to assess any risks posed by the provision of services to a customer, which bunq is able to do.
For its corporate customers, DNB reproaches bunq for not determining the purpose and intended nature of the relationship for existing customer files when updating these files, as bunq updates this information on the basis of information it already possesses. CBb rules that it is not necessary to obtain this information by specifically questioning the corporate customer in relation thereto, as this is not stipulated as such in the Dutch AML Act. As mentioned previously, the Dutch AML Act only states that an institution should determine the purpose and intended nature of the business relationship in order to assess any risks posed by the provision of services to a client. As bunq is able to comply with this provision based on existing client information, bunq duly complies with the Dutch AML Act in that regard, as rules the CBb.
DNB also reproaches bunq for not being able to carry out adequate transaction monitoring as required by Article 3 (2)(d) Dutch AML Act, considering that (retail) customers are all assigned the same profile. According to DNB, bunq is therefore not able to review whether the transactions carried out by customers involve unusual patterns and/or transactions that may indicate money laundering or terrorist financing. On this point the CBb does not agree with DNB’s view, as CBb already deemed that the way bunq gathers information about its customers is compliant with the Dutch AML Act.
What does this ruling mean for the sector?
The CBb's judgment on customer and transaction due diligence is in line with the nature and purpose of the Dutch AML Act, which requires institutions to make their own assessment of the risks applicable to a customer followed by sufficient mitigating measures. The judgment of the CBb is also desirable because the information that a financial institution gathers about a client via transaction monitoring is usually much more accurate than the information that the client shares (in advance) with the financial institution.
The ruling gives institutions the possibility to use new technologies, such as artificial intelligence, to improve and innovate their processes and will allow institutions to implement more efficient procedures. As indicated above, gathering information about the purpose and intended nature of the business relationship will have to enable an institution to assess any risks posed by the provision of services to a client. When doing so, a financial institution may use information obtained through data analysis and statistical research. The fact that this information (at the beginning of the business relationship) is based on assumptions does not alter the ability to estimate these risks, as long as the institution complies with the Dutch AML Act.
The ruling gives financial institutions in the Netherlands the possibility to request less information from customers when entering into a business relationship where possible and to make greater use of certain new technologies, such as machine learning and/or other forms of artificial intelligence, in the context of customer due diligence and transaction monitoring and adjusting the information about the client afterwards. Of course, in the end such procedures need to comply with the Dutch AML Act.